Alan, since your name is at the bottom of the article http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users I suspect this is one for you...
I wanted to set up something similar to this article so that I could divorce ftp users from system users - i.e give ftp users absolutely no ability to logon to anything else. I found a few shortcomings in it :-(
1) db_load does not [u]replace[/u] the contents of an existing accounts.db, it appends to it. This means that the instructions for deleting users do not work
2) Passwords are held in accounts.db in plain text and are humanly readable by anyone with read access to accounts.db. Can be fixed by using crypt=crypt on the pam entry and piping the password through e.g. openssl passwd -crypt -stdin -salt ab
3) The iptables rules probably only need the first of the two mentioned rules but ip_conntrack_ftp should be added to /etc/sysconfig/iptables-options IPTABLES_MODULES line. This, together with the standard RELATED,ESTABLISHED iptables rule should be sufficient.
To get this set up to completely ignore system based users I had to change guest_enable= from NO to YES and also I found that the per-user settings were unnecessary. I ended up with this lot
[code]
anon_world_readable_only=NO
anonymous_enable=NO
chroot_local_user=YES
guest_enable=YES
hide_ids=YES
listen=YES
local_enable=YES
max_clients=100
max_per_ip=2
nopriv_user=ftp
pam_service_name=ftp
session_support=NO
use_localtime=YES
user_config_dir=/etc/vsftpd/users
userlist_enable=YES
userlist_file=/etc/vsftpd/denied_users
xferlog_enable=YES
local_umask=022
connect_from_port_20=YES
dirlist_enable=YES
download_enable=YES
local_max_rate=110000
dual_log_enable=YES
user_sub_token=$USER
local_root=/var/ftp/virtual_users/$USER/
[/code]
Wiki article - Chroot vsftpd with non-system users
-
AlanBartlett
- Forum Moderator
- Posts: 9345
- Joined: 2007/10/22 11:30:09
- Location: ~/Earth/UK/England/Suffolk
- Contact:
Re: Wiki article - Chroot vsftpd with non-system users
@[b]Trevor[/b],
Although I was the last person to make a change to that page (probably a typo or English grammar), I did not write it nor do I fully understand it. :-?
There's two ways to get your modifications in place:
(1) Create you own wiki account, as per [url=http://wiki.centos.org/Contribute#head-42b3d8e26400a106851a61aebe5c2cca54dd79e5]Contribute to the Wiki[/url] and ask [b]Ralph[/b] to give you access to that page (preferred).
(2) Spell out exactly what you would like to see changed and then pass it to me to action on your behalf (less preferred).
I hope you will make the right choice. :-D
Although I was the last person to make a change to that page (probably a typo or English grammar), I did not write it nor do I fully understand it. :-?
There's two ways to get your modifications in place:
(1) Create you own wiki account, as per [url=http://wiki.centos.org/Contribute#head-42b3d8e26400a106851a61aebe5c2cca54dd79e5]Contribute to the Wiki[/url] and ask [b]Ralph[/b] to give you access to that page (preferred).
(2) Spell out exactly what you would like to see changed and then pass it to me to action on your behalf (less preferred).
I hope you will make the right choice. :-D
Wiki article - Chroot vsftpd with non-system users
I strongly recommend choice (1). :-)
Also, one can see the history of any wiki page by adding a [b]?action=info[/b] to the URL like so:
http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users?action=info
You see [b]Alan[/b] did a typo correction the last two times.
Also, one can see the history of any wiki page by adding a [b]?action=info[/b] to the URL like so:
http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users?action=info
You see [b]Alan[/b] did a typo correction the last two times.